Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Google+ Github Stackoverflow MLA CORE Institutional Repo ORCID ID   ORCID iD

Having read two great posts on OpenSSH best practices, I decided today that I wanted to upgrade my SSH key architecture to use Elliptical Curve Cryptography. There were several gotchas involved that I thought it would be worth sharing here. There are, at the time of writing, no packages for Fedora 15 or Debian stable that I could find, so I've worked from source.

Getting ECC working on some systems can be a bit of a pain. Fedora, in particular, has decided, due to patent encumbrance, to remove the header include files for OpenSSL's ECC implementation. To get around this, I therefore recommend reinstalling OpenSSL from source from their site. You will be able to tell whether your distro will have this problem because, in the ./configure output of OpenSSH you will encounter:

checking whether OpenSSL has complete ECC support... no

An easy way to check is to look for the presence of /usr/include/openssl/ecdsa.h

So, once you've got the latest and greatest OpenSSL installed, download the latest OpenSSH portable tar.gz. Then, you'll want to run the following.

On Fedora 15 (after installing OpenSSL from source; last command in this list needs to be root):

tar -xzf openssh-5.8p2.tar.gz
cd openssh-5.8p2
./configure --with-selinux --bindir=/usr/bin --sbindir=/usr/sbin --with-ssl-dir=/usr/local/ssl/
make install

On Debian/Ubuntu (not necessary to install OpenSSL from source):

tar -xzf openssh-5.8p2.tar.gz
cd openssh-5.8p2
./configure --bindir=/usr/bin --sbindir=/usr/sbin
sudo make install

You can then use the setup as expected.

ssh-keygen -t ecdsa -b 521
ssh-copy-id -i ~/.ssh/ user@server.tld

Featured image by Koen Photos under a CC-BY-ND license.